Server device and program management system

ABSTRACT

The server apparatus ( 120 ) includes a CPU ( 121 ), a RAM ( 122 ), a cipher processing unit ( 123 ) for carrying out encryption and decryption, a communication processing unit ( 124 ) for carrying out communication with an information processing terminal ( 100 ), a data storage unit ( 125 ) for storing information that does not require confidentiality, a distribution information storage unit ( 126 ) for storing information such as a program to be distributed, and a specific information distribution history holding unit ( 140 ) for holding a specific information distribution history ( 600 ) for managing a record of a program specific information of a program previously distributed to the information processing terminal ( 100 ).

TECHNICAL FIELD

The present invention relates to a server apparatus that distributes aprogram which runs on an information processing terminal, as well as aprogram management system composed of a server apparatus and aninformation processing terminal, and particularly to technology for therevocation of an information processing terminal attempting anunauthorized use of a program.

BACKGROUND ART

Following the development of the network in recent years, manyelectronic commerce systems for conducting commerce via the network andcontent distribution systems for the distribution of contents such asmovies and music, have been disclosed. In these systems, not onlyvaluable information such as rights for the use of a content and keysused for billing, but also programs, per se, such as a music playerprogram, can be exchanged among devices connected via the network.Furthermore, aside from the conventional PC, it is predicted that theexchange of programs in this manner shall also be implemented inbuilt-in devices such as a mobile phone, and the like.

Now, if it is possible for a user with malicious intents to illicitlyrewrite a program when a commercial system involving billing such aselectronic shopping and a content distribution service is implementedvia the network, there is a danger that fraudulent transactions such asthe purchase of goods and contents free-of-charge through manipulationof billing information, shall be carried out. For that reason, in thecase where error correction and supplementing through program updatingvia the network are carried out, there is a need to verify the validityof a program in order to prevent unauthorized use by a user withmalicious intents.

A method that makes use of a digital signature exists as a conventionalmethod for verifying the validity of a program (Refer to officialpublication of Japanese Laid-Open Patent Application No. 2000-339153,for example). In this method, an encrypted data exchange system using aset of two paired keys, referred to as public key cryptography, isutilized. FIG. 20 is an explanatory diagram for the program validityverification method that makes use of such digital signature.

A program issuer 2000 transmits a public key 2001 to a certificationauthority (CA) 2010 which is a third-party organization that confirmsand guarantees the identity of a program issuer. Subsequently, thecertification authority 2010 confirms and examines the identity of theprogram issuer 2000. In the case where the program issuer 2000 is judgedas being authentic, the certification authority 2010 issues a public keycertificate 2003, for the public key 2001 of the program issuer 2000, inwhich a digital signature is attached using a CA private key 2012. Thepublic key certificate 2003 includes information for identifying theidentity of a subject of a public key, and indicates that thecertification authority 2010 guarantees the identity of the public keysubject. The certification authority 2010 then transmits the public keycertificate 2003 to the program issuer 2000.

The program issuer 2000 signs a digital signature using a private key2002, on the program to be distributed to a user 2020, and distributesthe public key certificate 2003 as well as the signed program 2004.

The user 2020 obtains a CA public key 2011 from the certificationauthority 2010, and verifies the signature of the public key certificate2003 of the program issuer, using the CA public key 2011. In the casewhere the signature is properly verified, the public key 2001 includedin the public key certificate 2003 is used to verify the signature ofthe signed program 2004. In the case where this signature is properlyverified, it can be verified that the distributed program is a programdistributed from the program issuer 2000, and that it has not beentampered with.

Accordingly, by attaching the digital signature of the program issuer2000 to the program, the validity of the program is guaranteed, and theuser 2020 can verify that an obtained program 2021 is a program that isrightfully distributed from the program issuer 2000, in this validityverification system.

However, although program validity verification is carried out at thetime of distribution in the validity verification system shown in FIG.20, it is not possible to guarantee validity for the program in aninformation processing terminal after distribution. Furthermore, detailsregarding the workings of public key cryptography as well as thecertificate, signature, and certification are written in a variety ofpublications (Refer to “Applied Cryptography”, Bruce Schneier, JohnWiley & Sons, Inc. (1996), for example).

As a method for resolving this issue, there is a method where a programis distributed by being encrypted at the program distribution sourceusing a user identifier for the program distribution destination, and auser uses the user identifier to decrypt and execute the program at thetime of use (Refer to official publication of Japanese Laid-Open PatentApplication No. 07-295800, for example). In this method, unauthorizedcopying and unauthorized manipulation can be prevented as even if bysome chance a program is illicitly copied, the program cannot bedecrypted and executed unless the user identifier is matched.

Furthermore, a distribution apparatus that can physically preventunlimited distribution from being carried out, and physically enforceabidance to a contract of use with regard to program copying, by judgingthe propriety of the distribution according to the difference betweenthe number of program copies and the number of copy authorizations, isdisclosed as a program distribution apparatus (Refer to officialpublication of Japanese Laid-Open Patent Application No. 06-87220, forexample).

In this invention, the program distribution apparatus stores, for eachprogram, the information processing apparatus which is the distributiondestination, and distributes a program according to the number of copyauthorizations and the number of copies.

On the other hand, in the case where a commercial system using thenetwork, which involves billing such as electronic shopping and acontent distribution service, a method for identifying a user isnecessary as the billing of a user is carried out. As one of thesemethods, there are cases where specific information such as an ID or akey allocated to each user, is included within a program or withininformation distributed together with a program. In this case, specificinformation is allocated to each user, and by managing the specificinformation at the program distribution source which is the serverapparatus-side, a user can be identified based on the specificinformation, when the user carries out an unauthorized action.

FIG. 21 is a reference diagram of the conventional program managementsystem used between an information processing terminal 2101 and a serverapparatus 2102, as well as a server apparatus 2103. Moreover, in FIG.21, the server apparatuses are separated into the application dataserver apparatus 2103 and the program server apparatus 2102, for thepurpose of explanation.

The information processing terminal 2101 obtains a music player programthat can download and play desired music data, from the server apparatus2102 which is the program distribution source. It is assumed that suchmusic player program includes specific information “0101”. Moreover, inseeking safe distribution, the communication channel is encrypted usinga Secure Socket Layer (SSL), preventing acts of hacking such aseavesdropping.

When the user of the information processing terminal 2101 requests forthe obtainment of music data, and so on, a music data obtainment requestattached with the specific information “0101” is transmitted from theinformation processing terminal 2101 to the application server apparatus2103. The server apparatus 2103 possesses a revocation list (CRL:certificate revocation list) for excluding an unauthorized informationprocessing terminal that executes the music player program. As thespecific information “0101” transmitted in time with the music dataobtainment request from the information processing terminal 2101 isdescribed in the CRL, the transmission of music data to the informationprocessing terminal 2101 is not carried out. Moreover, in the case wherethe specific information “0101” is not described in the CRL, therequested music data is sent to the information processing terminal2101.

In this manner, if the specific information of the program possessed bythe information processing terminal 2101 which is carrying outunauthorized program usage is identified, it is possible to revoke theinformation processing terminal 2101 which is attempting an unauthorizedusage, by using the CRL.

Moreover, safe distribution, which protects download data fromunauthorized acts by preventing download data manipulation, replacementand eavesdropping, is made possible by the attachment of a digitalsignature to data to be downloaded from the server apparatus 2102 to theinformation processing terminal 2101 and the performance of signatureverification at the information processing terminal 2101-side.

However, the problem of having an increased processing load on theprogram distribution source arises in the method described above, whereprogram encryption in compliance with individual user identifiers iscarried out at the program distribution source.

Furthermore, the aforementioned method in which a program distributionapparatus stores, for each program, the information processing apparatuswhich is the distribution destination, and distributes a programaccording to the number of copy authorizations and the number of copies,is a method in which a program distribution apparatus confirms the ID ofthe apparatus which is the distribution destination and distributes aprogram according to the number of copy authorizations, for everydistribution request. It is not a method that prevents the unauthorizeduse of a program.

In addition, in the method shown in FIG. 21 where the server apparatus2103 uses a CRL in which specific information of programs is described,to perform the revocation of the information processing terminal 2101attempting an unauthorized usage, even in the case where data obtainmentis revoked as being from an unauthorized terminal according to the CRLof the server apparatus 2103 when the information processing terminal2101 attempts to obtain data illicitly, a problem exists in which therevocation using the CRL of the server apparatus 2103 can becircumvented. This circumvention is carried out through the downloadingof different specific information from the server apparatus 2102 by theuser of the information processing terminal 2101 and updating thespecific information of the program with the new specific information.

The present invention is conceived in view of issues such as thosementioned above and has as a first objective to provide a server thatprevents an unauthorized information processing terminal that has beenrevoked according to a list using specific information in a serverapparatus which is the program distribution source, from avoiding suchrevocation by obtaining new specific information. Furthermore, thepresent invention also has the objective of reducing the process loadfor a server apparatus, with regard to program distribution to aninformation processing terminal.

Furthermore, the present invention has as another objective to provide aprogram management system that can prevent unauthorized usage of aprogram by an information processing terminal by revoking an obtainmentrequest for new specific information from an unauthorized informationprocessing terminal, in the program managing system where programdistribution is carried out between a server apparatus and aninformation processing terminal.

DISCLOSURE OF INVENTION

In order to resolve the aforementioned issues, the server apparatus inthe present invention is a server apparatus, connected via a network toan information processing terminal holding a terminal ID that cannot bere-written externally, that holds a program running on the informationprocessing terminal, the server apparatus comprising a table holdingunit operable to hold a table indicating a relation between a previouslydistributed program and a terminal ID, and a decision unit operable todecide, by referring to the table, whether or not to distribute aprogram in response to a program obtainment request attached with theterminal ID, transmitted from the information processing terminal.

Furthermore, the program distributed, to the information processingterminal, from the server apparatus in the present invention includes aprogram body running on the information processing terminal and programspecific information for running said program body, and the decisionunit decides i) to distribute only the program body to the informationprocessing terminal by prohibiting distribution of the program specificinformation in the case where the terminal ID attached to the programobtainment request is recorded in the table, and ii) to add the terminalID and the program specific information, to the table, in acorrespondence relation with each other, and distribute the program bodyand the program specific information to the information processingterminal in the case where said terminal ID is not recorded in thetable.

Accordingly, the server apparatus can prevent the information processingterminal from obtaining new program specific information correspondingto a previously distributed program and the unauthorized acts of aninformation processing terminal attempting to avoid revocation byobtaining new program specific information can be prevented.

Moreover, in order to resolve the aforementioned issues, the programmanagement system in the present invention is a program managementsystem comprising an information processing terminal holding a terminalID that cannot be re-written externally, and a server apparatus,connected via a network to the information processing terminal, thatholds a program running on the information processing terminal, whereinthe information processing terminal transmits, to the server apparatus,a program obtainment request attached with the terminal ID whenrequesting for obtainment of a program, and the server apparatusincludes a table holding unit operable to hold a table indicating arelation between a previously distributed program and a terminal ID,after receiving the program obtainment request, and a decision unitoperable to decide, by referring to the table, whether or not todistribute a program in response to a program obtainment requestattached with the terminal ID, transmitted from the informationprocessing terminal.

In this manner, the present invention can be implemented, not only asthe server apparatus mentioned above, but also as a program managementsystem used between the server apparatus and the information processingterminal, or a program distribution method which uses the units includedin the server apparatus, as steps. Furthermore, it goes without sayingthat the present invention can be implemented as a program forimplementing such program distribution method on a computer, or thelike, and that such program can be brought into circulation via arecording medium such as a CD-ROM, or a transmission medium such as acommunication network.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a configuration diagram of the information processing terminaland the server apparatus in the first embodiment.

FIG. 2 is a configuration diagram of the program entirety which istransmitted from the server apparatus in the first embodiment, to theinformation processing terminal-side.

FIG. 3A is a diagram showing an example of information stored in aprogram header.

FIG. 3B is a diagram showing an example of information stored in aprogram.

FIG. 4A is a diagram showing an example of information stored in thespecific information header.

FIG. 4B is a diagram showing an example of information stored in theprogram specific information.

FIG. 5 is a diagram showing the operational procedures in the programupdating sequence between the information processing terminal and theserver apparatus.

FIG. 6 is a diagram showing an example of the information storage in thespecific information distribution history held by the specificinformation distribution history holding unit.

FIG. 7 is a flowchart showing the distribution procedure for a program,in the server apparatus.

FIG. 8 is an overall diagram of the program management system using aserver apparatus, in the first embodiment.

FIG. 9 is a diagram showing a different data structure included in aprogram header and a program, in the first embodiment.

FIG. 10 is a diagram showing a different data structure included in thespecific information header and the program specific information.

FIG. 11 shows the configuration diagram of the information processingterminal and the server apparatus, in the second embodiment of thesecond invention.

FIG. 12A is a diagram showing an example of information included in thespecific information distribution history in the second embodiment.

FIG. 12B is a diagram showing an example of information included in theprogram/specific information correspondence chart in the secondembodiment.

FIG. 13 is a flowchart showing the program distribution procedure in theserver apparatus.

FIG. 14 is a configuration diagram of the information processingterminal and the server apparatus, in the third embodiment.

FIG. 15 is a chart showing an example of the information storage of thedistribution number information in the third embodiment.

FIG. 16 is a flowchart showing the program distribution procedure in theserver apparatus.

FIG. 17 is a configuration diagram of the information processingterminal and the server apparatus, in the fourth embodiment.

FIG. 18A is a diagram showing an example of data stored in thedistribution number information in the fourth embodiment.

FIG. 18B is a diagram showing an example of data stored in theprogram/specific information correspondence chart in the fourthembodiment.

FIG. 19 is a flowchart showing the program distribution procedure in theserver apparatus.

FIG. 20 is an explanatory diagram for a program validity verificationmethod using the conventional digital signature.

FIG. 21 is a reference diagram of the conventional program managementsystem used between an information processing terminal and serverapparatuses.

BEST MODE FOR CARRYING OUT THE INVENTION

Hereinafter, the server apparatus as well as the program managementsystem according to the embodiments of the present invention shall beexplained using the diagrams.

First Embodiment

FIG. 1 shows a configuration diagram of an information processingterminal 100 and a server apparatus 120 in the first embodiment of thepresent invention.

The information processing terminal 100 is a terminal apparatus thatuses a program used in electronic commerce, content distribution, or thelike, obtained from the server apparatus 120. It is made up of a CPU101, a RAM 102, a cipher processing unit 103 for carrying out theencryption and decryption of a program, data, or the like, acommunication processing unit 104 for carrying out communication withthe server 120, a program storage unit 105 for storing a program, a datastorage unit 106 for storing information that does not particularlyrequire confidentiality such as a CA public key, and a confidentialinformation storage unit 107 for storing information that requiresconfidentiality, such as a private key.

The program storage unit 105 stores a program 116 that runs on the CPU101.

The data storage unit 106 stores, from among the data used by theinformation processing terminal 100, data which does not particularlyrequire confidentiality. Alongside this, it stores a CA public key 109as well as program management information 108 which is managementinformation of a stored program such as a program ID and a versionnumber, stored in the information processing terminal 100.

Furthermore, the confidential information storage unit 107 storesinformation that requires confidentiality within the informationprocessing terminal 100. It stores a terminal specific key 110 which isa key that is different for each information processing terminal, aterminal private key 111 which is one of a pair of public keys which aredifferent for each information processing terminal, program specificinformation 112 which is a specific key used by a program, and aterminal public key certificate 113 which is the other of the pair ofpublic keys which are different for each information processingterminal. Furthermore, the terminal public key certificate 113 includesa terminal ID 114 which is an ID that uniquely identifies theinformation processing terminal 100, and a CA signature 115 which isattached to the terminal public key certificate 113 by the certificationauthority.

On the other hand, the server apparatus 120 in the present invention isan apparatus for distributing a program requested by the informationprocessing terminal 100. It is made up of a CPU 121, a RAM 122, a cipherprocessing unit 123 for carrying out the encryption and decryption of aprogram, data, or the like, a communication processing unit 124 forcarrying out communication with the information processing terminal 100,a data storage unit 125 for storing information that does notparticularly require confidentiality such as a CA public key, adistribution information storage unit 126 for storing information suchas a program to be distributed to the information processing terminal100, and a specific information distribution history holding unit 140.

Further, the server apparatus 120 in the present invention ischaracterized by the possession of the specific information distributionhistory holding unit 140. This specific information distribution historyholding unit 140 holds a specific information distribution history 600for the purpose of managing the history of the program specificinformation of a program that has been distributed to the informationprocessing terminal 100.

The data storage unit 125 is a region for storing information used bythe server apparatus 120. It stores a server private key 127 which isone of a pair of public keys, a server public key certificate 128 whichis the other of the pair of public keys, and a CA 10 public key 129. Theserver public key certificate 128 includes a server ID 130 which is anID that uniquely identifies the server, and a CA signature 131 which isattached to the server public key certificate by the CA. Thedistribution information storage unit 126 is a region for storinginformation distributed by the server apparatus 120 to the informationprocessing terminal 100. It stores a program header 300, a program 310,a specific information header 400, and program specific information 420.Furthermore, a diagram for the program in its entirety, which is thedistribution information, is shown in FIG. 2 to be described later.

A signature of the CA, which is a third-party certificationorganization, is attached to the program header 300, the program 310,the specific information header 400, and the program specificinformation 420, stored in the distribution information storage unit126. Through this CA signature, distribution information is guaranteedas being information distributed from a valid distribution source.

FIG. 2 is a configuration diagram of the program entirety 200 which istransmitted from the server apparatus 120 in the present embodiment tothe information processing terminal 100. This program entirety 200 isinformation stored in the distribution information storage unit 126 ofthe server apparatus 120. In the present embodiment, it is structuredfrom the program header 300, the program 310, the specific informationheader 400, and the program specific information 420. Furthermore, inthe present invention, the program entirety 200 is characterized bybeing separated into the program 310 and the program specificinformation 420, and in addition, by being separated into a headersegment and a data segment.

Moreover, in the program management system in the present embodiment, inthe case where the information processing terminal 100 obtainsapplication data to be used in the program 310, from the sever apparatus120 or the like, the application data obtainment request is attachedwith the program specific information 420 and transmitted. As a result,it becomes possible to reject an unauthorized information processingterminal through the CRL using the program specific information 420,carried by the server apparatus 120, and the like.

FIGS. 3A and 3B are diagrams showing an example of information stored inthe program header 300 and the program 310.

The program header 300 stores information regarding the program 310, andincludes the following information:

-   -   (1) a program ID (301) indicating the program 310 to which the        information stored by the program header 300 corresponds;    -   (2) a version number (302) of the corresponding program 310;    -   (3) a program size (303) of the corresponding program 310;    -   (4) a program hash value (304) of the corresponding program 310;        and    -   (5) a CA signature (305) for the program header 300 as a whole,        which includes the information from (1) to (4) mentioned        previously.

In addition, a CA signature (311) which corresponds to the program 310is attached to the program 310. In this manner, it is possible toverify, in the information processing terminal 100, that a programheader and program are distributed from a valid distribution source, asboth of the program header 300 and the program 310 include the CAsignatures 305 and 311 respectively.

FIGS. 4A and 4B are diagrams showing an example of information stored inthe specific information header 400 and the program specific information420.

The specific information header 400 stores information regarding theprogram specific information 420, and includes the followinginformation:

-   -   (1) a program specific information ID (401) indicating the        program specific information 420 to which the information stored        by the program header 300 corresponds;    -   (2) a program ID (420) of the program 310 using the        corresponding program specific information 420;    -   (3) a specific information number (403) which is the number of        specific information stored by the corresponding program        specific information 420;    -   (4) an overall size (404) of the corresponding program specific        information 420;    -   (5) a specific information subheader (405) indicating        information regarding individual specific information included        in the corresponding program specific information 420. The        specific information subheader 405 only stores the number (1        to n) of individual specific information included in the program        specific information 420; and    -   (6) a CA signature (406) for the specific information header 400        as a whole, which includes the information from (1) to (5)        mentioned previously.

In addition, the specific information subheader 405 is structured from aprogram specific information sub-ID 411 which is an ID for identifyingindividual specific information, and a size 412 of individual specificinformation.

Furthermore, the program specific information 420 includes a pluralityof program specific information (421), and a CA signature (422) for theentire program specific information. As such, it is possible to verify,in the information processing terminal 100, that the specificinformation header 400 and the program specific information header 420are distributed from a valid distribution source, as the specificinformation header 400 and the program specific information header 420both include CA signatures (406 and 422 respectively).

Next, an example of the operating procedure in the program updatingsystem carried out between the information processing terminal 100 andthe server apparatus 120 shall be explained with the use of FIG. 5. Inthis program updating system, the information processing terminal 100first carries out a header obtainment request, and a confirmation of theavailable area is carried out. Furthermore, the information processingterminal 100 attempting an unauthorized use of a program can be revokedin the server apparatus 120 by referring to the specific informationdistribution history 600 from the specific information distributionhistory holding unit 140.

First, the information processing terminal 100 establishes a connectionwith the server apparatus 120 through an SSL (S501). At this time, theserver apparatus 120 carries out the obtainment of the terminal ID ofthe information processing terminal 100. It should be noted that the SSLis a mechanism in which data is transmitted and received by beingencrypted using both public key cryptography and private keycryptography, in order to transmit and receive data safely between twopoints. Furthermore, as a key referred to as a session key, which isvalid only for that session, is shared in the SSL, the transmission andreception of data between the information processing terminal 100 andthe server apparatus 120 from S502 onward shown in FIG. 5 are allcarried out through encrypted data using session keys.

Next, the information processing terminal 100 carries out a headerobtainment request by designating the program ID of the program 310 tobe obtained, to the server apparatus 120 (S502). At this time, theserver apparatus 120 confirms the correspondence relation of theterminal ID and the program specific information ID according to thespecific information distribution history 600 being held in the specificinformation distribution history holding unit 140. In other words,confirmation is made as to whether or not the specific information IDhas already been distributed to the information processing terminal 100.Then, in the case where it is judged that it is a header obtainmentrequest from an authorized information processing terminal, the serverapparatus 120, having received the header obtainment request, transmitsthe program header 300 stored in the distribution information storageunit 126 to the information processing terminal 100 (S503).

Having received the program header 300 from the server apparatus 120,the information processing terminal 100 verifies the CA signatureincluded in the program header 300 using the CA public key 109 stored inthe data storage unit 106 (S504). With this, the information processingterminal 100 verifies that the program header 300 is unmanipulatedinformation distributed from a valid distribution source. Furthermore,as information regarding the program such as the program's program ID301, version number 302, size 303, and the program hash value 304, arestored in the program header 300, the information processing terminal100 compares such information with the program ID, version information,and available capacity information described within the programmanagement information 108 stored in the data storage unit 106, andconfirms whether the update subject program 310 was correctlydistributed from the server apparatus 120, and whether availablecapacity for storing the program 310 exists (S504). As such, theinformation processing terminal 100 in the present embodiment preventsdrawbacks that can lead to program obtainment disapproval during thedownloading of the program 310.

Next, the server apparatus 120 transmits the specific information header400 stored in the distribution information storage unit 126 to theinformation processing terminal 100 (S505).

Then, having received the specific information header 400 from theserver apparatus 120, the information processing terminal 100 verifiesthe CA signature included in the specific information header 400 usingthe CA public key 109 stored in the data storage unit 106 (S506). Withthis, the information processing terminal 100 verifies that the specificinformation header 400 is unmanipulated information distributed from avalid distribution source. Information regarding the program specificinformation 420, such as the program specific ID 401 for uniquelyidentifying the program specific information 420, the program ID 402 ofa program associated with the program specific information 420, thespecific information number 403 which is the number of specificinformation included in the information distributed through the programspecific information 420, and the size 404, is stored in the specificinformation header 400. As such, the information processing terminal 100compares such information with the program ID, and available capacityinformation described within the program management information 108stored in the data storage unit 106, and confirms whether the programspecific information 420 regarding the program 310 to be updated iscorrectly distributed from the server apparatus 120, and whetheravailable capacity for storing the program specific information 420exists, before downloading of the program 310 (S506).

Then, in the case where it is judged that the obtainment of the program310 and the program specific information 420 can be carried out, theinformation processing terminal 100 carries out a program obtainmentrequest to the server apparatus 120 by designation a program ID (S507).

Having received the program obtainment request, the server apparatus 120transmits the program 310 stored in the distribution information storageunit 126 to the information processing terminal 100 (S508). Having thereceived the program 310 from the server apparatus 120, the informationprocessing terminal 100 verifies the CA signature included in theprogram 310 using the CA public key 109 stored in the data storage unit106 (5509). With this, the information processing terminal 100 verifiesthat the program 310 is unmanipulated information distributed from avalid distribution source. In the case where the validity of theobtained data is verified, the obtained program 310 is encrypted withthe terminal specific key 110 stored in the confidential informationstorage unit 107, and stored in the program storage unit 105 (S509). Atthat time, program management is carried out by storing the programstorage position, program ID, version number, and so on, in the programmanagement information 108.

Next, after the storage of the program is finished, the program 116stored in the program storage unit 105 is decrypted using the terminalspecific key 110, and the hash value is calculated. A comparison iscarried out between the calculated hash value and the hash value storedin the program header 300, and the correct storage of the program isconfirmed (S510).

Next, the information processing terminal 100 carries out a programspecific information obtainment request by designating the program ID tothe server apparatus 120 (S511).

Subsequently, the server apparatus 120 transmits the program specificinformation 420 stored in the distribution information storage unit 126to the information processing terminal 100 (S512). Having received theprogram specific information 420 from the server apparatus 120, theinformation processing terminal 100 verifies the CA signature includedin the program specific information 420 using the CA public key 109stored in the data storage unit 106 (S513). With this, the informationprocessing terminal 100 verifies that the program specific information420 is unmanipulated information distributed from a valid distributionsource. In the case where the validity of the obtained data is verified,the obtained program specific information 420 is stored in theconfidential information storage unit 107 (S513).

Finally, after the storage of the program and program specificinformation by the information processing terminal 100 is finished, thecommunication between the information processing terminal 100 and theserver apparatus 120 is closed (S514).

In this manner, the information processing terminal 100 in the presentembodiment can carry out safer downloading of a program by confirmingwhether available capacity for storing the program 310 exists, and soon, through the performance of the header obtainment request. Moreover,in this case, by calculating the hash values of the program 310 as wellas the program specific information 420, and comparing the calculatedhash values with the hash values stored in the program header 300 aswell as the program specific information header 400, confirmation ofvalid distribution information can also be cited.

FIG. 6 is a diagram showing an example of the information storage of thespecific information distribution history 600 held in the specificinformation distribution history holding unit 140.

It is assumed that the specific information distribution history 600 isthe table in which the server apparatus 120 records the program specificinformation 420 corresponding to the program previously distributed tothe information processing terminal 100, and the terminal ID of suchinformation processing terminal 100.

Further, the server apparatus 120 stores, in the specific informationdistribution history holding unit 140, a terminal ID 601 which is an IDfor identifying the information processing terminal 100 to which theprogram specific information 420 was distributed, and a program specificinformation ID 602 which is an ID for identifying the distributedprogram specific information 420. Furthermore, a last distribution date603 indicating the last distribution date of the program specificinformation 420 is stored in the specific information distributionhistory 600, as needed.

In FIG. 6 the server apparatus 120 has distributed five program specificinformation 420 to the information processing terminal 100. Therespective terminal IDs 601 and program specific information IDs 602are, (terminal ID, program specific information ID)=(0001, 0001), (0002,0002), (0010, 0003), (0015, 0004), (0020, 0005).

FIG. 7 is a flowchart showing the distribution procedure for the program310, in the server apparatus 120.

First, the server apparatus 120 receives a program distribution requestfrom the information processing terminal 100 (S701). Next, the serverapparatus 120 obtains the terminal ID of the information processingterminal 100 included in the program distribution request received(S702), and searches for the obtained terminal ID in the specificinformation distribution history 600 (S703). A judgment is then carriedout as to whether or not the same terminal ID is stored in the specificinformation distribution history 600 (S704).

In the case where the same terminal ID is stored in the specificinformation distribution history 600 (Yes, in S704), the serverapparatus 120 transmits only the program 310 and concludes the process(S708), as the program specific information 420 has already beendistributed to the information processing terminal 100.

Furthermore, in the case where the same terminal ID is not stored in thespecific information distribution history 600 (No, in S704), the serverapparatus 120 allocates a new program specific information 420 to theinformation processing terminal 100 (S705). The specific informationdistribution history 600 is then updated by adding the correspondence ofthe terminal ID 601 and the program specific information ID 602 withregard to the newly allocated program specific information 420 (S706).Subsequently, the server apparatus 120 transmits the program specificinformation 420 to the information processing terminal 100 (S707), andtransmits the program 310 to the information processing terminal 100(S708), then concludes the process.

In this manner, the distribution of a plurality of program specificinformation 420 to a single information processing terminal 100 isreliably prevented through distribution management of program specificinformation using the specific information distribution history 600 inthe server apparatus 120. With this, the server apparatus 120 does notallocate new program specific information 420 to an informationprocessing terminal 100 which has already been recognized as anunauthorized terminal and revoked, using the program specificinformation 420 according to the CRL, or the like. Accordingly,unauthorized action of the information processing terminal 100attempting to avoid revocation by obtaining new program specificinformation 420 can be prevented.

FIG. 8 is an overall diagram of the program management system using theserver apparatus 120, in the present embodiment.

A program server apparatus 120 a transmits a program corresponding to aprogram obtainment request to an information processing terminal 100. Aserver apparatus 120 b transmits an application used by the programrunning on the information processing terminal 100, to the informationprocessing terminal 100. It should be noted that in FIG. 8, explanationshall be carried out assuming that the information processing terminal100 holds a program with the program specific information “0101”, andthat it is a terminal attempting to illicitly obtain new programspecific information in order to avoid the revocation of a CRL 800.Furthermore, to facilitate safe program distribution, the communicationchannel is assumed to be a cipher communication channel using an SSL.

When the user of the information processing terminal 100 requests forapplication data, an application obtainment request with the programspecific information “0101” of the program held by the informationprocessing terminal 100 attached, is transmitted to the application dataserver apparatus 120 b.

The server apparatus 120 b possesses the revocation list (CRL) 800 ofunauthorized programs, which makes use of program specific information,and revocation of an unauthorized information processing terminal iscarried out through the non-transmission of the application data due tothe description, in the CRL 800, of the program specific information“0101” attached to the obtainment request from the informationprocessing terminal 100. Moreover, in the case where the programspecific information is not described in the CRL 800, the serverapparatus 120 b transmits the application data to the informationprocessing terminal 100. Furthermore, download data manipulation,replacement, eavesdropping, and so on, over the communication channel isprevented by the attachment of a CA signature to the data to bedownloaded from the server apparatus 120 a, or the like, and theperformance of signature verification at the information processingterminal 100.

The user of the information processing terminal 100 having the programspecific information “0101” described in the CRL 800 carries out anobtainment request for program specific information to the programserver 120 a in order to obtain a different, new program specificinformation and avoid the revocation according to the CRL.

In a case such as this, the server apparatus 120 a in the presentinvention possesses, in the specific information distribution historyholding unit 140, a specific information distribution history 600 havinga terminal ID “0102” of the information processing terminal 100, and theprogram specific information ID “0101” recoded with regard to apreviously distributed program.

Subsequently, in the case where a new program specific informationrequest is carried out from the information processing terminal 100 tothe server apparatus 120 a, the server apparatus 120 a judges whether ornot the terminal ID “0102” attached to this program specific informationrequest is described in the specific information distribution history600. In the case where it is described, the distribution of programspecific information is prohibited, and the distribution of only theprogram body to the information processing terminal 100 is carried out.Moreover, in the case where, referring to the specific informationdistribution history 600, the program specific information IDcorresponding to the terminal ID attached to the program specificinformation request is not described, the terminal ID and the programspecific information ID are associated with each other and added intothe specific information distribution history 600, and the program andprogram specific information are distributed to the informationprocessing terminal 100 as well.

Moreover, only program specific information is not distributed again tothe information processing terminal 100 by the server apparatus 120 a.The distribution the body of the program, two or more times, does notmatter. This is because, as the program specific information is revokedaccording to the CRL 800, the user of the information processingterminal 100 attempting an unauthorized use is revoked for as long asthe program specific information is not updated.

FIG. 9 is a diagram showing a different data structure included in aprogram header 900 and a program 910, in the present embodiment. FIG. 9is different from FIG. 3 in the point that the CA signature 311 is notattached to the program 910.

The program header 900 is used for storing information regarding theprogram 910, and includes a program ID (901), a version number (902), aprogram size (903), a program hash value (904), a CA signature (905),which are the same as the information included in the aforementionedprogram header 300.

In the case where validity verification of the program header 900 andthe program 910 is carried out in the information processing terminal100, first of all, the program header 900 is obtained from the serverapparatus 120, and the CA signature 905 attached to the program header900 is verified. With this, the information processing terminal 100verifies that the program header 900 is unmanipulated informationdistributed from a valid distribution source.

Next, the hash value of the program 910 is calculated. The calculatedhash value and the program hash value stored in the program header 900are compared to confirm if these match. With this, it becomes possiblefor the information processing terminal 100 to verify that the program910 is unmanipulated information distributed from a valid distributionsource.

In this manner, by using the program hash value 904 stored in theprogram header 910 and attaching the CA signature 905 to only theprogram header 900 in the validity verification of the program 910, itbecomes possible to verify validity in the same way as in the case wheresignatures are attached to the program header 900 and the program 910,while reducing the information requiring the CA signature in the program910. Furthermore, in the case where the combination of the programheader 900 and the program 910 are illicitly changed, the anomaly in thecombination can be detected through the program hash value calculationin the information processing terminal 100. Moreover, as a result of notattaching a CA signature to the program 910, the need for the program910 to be forwarded to the certification authority for CA signatureattachment is eliminated.

Next, FIG. 10 is a diagram showing a different data structure includedin a specific information header 1000 and program specific information1020. FIG. 10 is different from FIG. 4 in the points that the specificinformation header 1000 possesses a program specific information hashvalue 1005, and the CA signature 422 is not attached to the programspecific information 1020.

The specific information header 1000 is used for storing informationregarding the program specific information 1020, and is made up of aprogram specific information ID 1001, a program ID 1002, a specificinformation number 1003, an overall size 1004 of the program specificinformation, an overall, program specific information hash value 1005, aspecific information subheader 1006, and a CA signature 1007 for theentirety of the specific information header. These are the same as theinformation included in the above-mentioned specific information header400.

Accordingly, by calculating the hash value of the program specificinformation 1020, and comparing the calculated hash value with theprogram specific information hash value 1005 stored in the specificinformation header 1000 and confirming if these match, it is possiblefor the information processing terminal 100 to verify that the programspecific information 1020 is unmanipulated information distributed froma valid distribution source.

As mentioned above, through the possession of the specific informationdistribution history holding unit 140 by the server apparatus 120 in thepresent embodiment, the server apparatus 120 can prevent the obtainmentof new program specific information corresponding to a previouslydistributed program, by the information processing terminal 100. Assuch, secure downloading can be realized by avoiding unauthorized acts,such as hacking, by the information processing terminal 100 attemptingto avoid revocation by obtaining new program specific information 420.

Furthermore, by encrypting the program obtained from the serverapparatus 120 in the information processing terminal 100 using theterminal specific key 110 stored in a secure flash memory, or the like,which can only be accessed from the inside, the process of encryptingthe program in the server apparatus through a key which is specific tothe information processing terminal as in the conventional manner,becomes unnecessary, and the program encryption load of the serverapparatus 120 can be reduced. It should be noted that in this case, whenencryption is done in the information processing terminal 100 using theterminal specific key 110, it is necessary to confirm that encryption iscarried out properly. With regard to this point, in the presentinvention, it is possible to determine the success or failure of programstorage without concern for the descrambling with the terminal specifickey 110, which is different for each information processing terminal100, through the descrambling after program storage using the terminalspecific key 110, and verification according to the hash value of theplain text program, by the information processing terminal 100.

In addition, the entirety of a program is separated into the program 310and the program specific information 420 and created individually by theserver apparatus 120. Accordingly, through the management of a pluralityof program specific information 420 which are comparatively small insize and different for each information processing terminal 100, andmanaging only one program 310 which is large in size but common for allthe information processing terminals 100, the size of distributioninformation to be managed by the server apparatus 120 is greatlyreduced, which in turn enables the reduction of the informationprocessing load.

Furthermore, by storing the hash value of the program specificinformation 1020 in the specific information header 1000, and attachingthe CA signature 1007 to only the specific information header 1000, inthe server apparatus 120, the same results can be attained as in thecase where the CA signature 1007 is attached to the specific informationheader 1000 and the program specific information 1020, while reducingthe information requiring the CA signature in the program 910. Inaddition, in the case where the combination of the specific informationheader 1000 and the program specific information 1020 are illicitlychanged, the anomaly in the combination can be verified through thecalculation of the hash value of the program specific information 1020,in the information processing terminal 100.

It should be noted that the format of the specific informationdistribution history 600 held in the specific information distributionhistory holding unit 140 shown in the present embodiment is one example.It is possible to delete the last distribution date 603, and it is alsopossible to add other information. Furthermore, although thedistribution of the program specific information 420 for the terminal ID601 described in the specific information distribution history 600 isdenied in the present embodiment, a program specific information 420which has already been distributed can be distributed again to theinformation processing terminal 100 possessing such terminal ID 601, foras long as it is not an unauthorized obtainment.

Further, in the server apparatus 120 in the present embodiment, therequest from the information processing terminal 100 can be either of aprogram distribution request which involves the distribution of aprogram, or a program specific information distribution request whichdoes not involve the distribution of a program.

In addition, although the transmission and reception of encrypted datausing an SSL is carried out between the information processing terminal100 and server apparatus 120, other protocols can also be used asidefrom the SSL, as long as it is a method where the safe transmission andreception of data can be carried out between two points.

Moreover, although the data storage unit 106 and the program storageunit 105 are kept separate in the present embodiment, these can also bea single storage unit. Furthermore, although the terminal public keycertificate 113 is stored in the confidential information storage unit107, it can also be stored in the data storage unit 106.

Moreover, the program header 300 and specific information header 400 arecreated separately from the program 310 and the program specificinformation 420, in the server apparatus 120. However, it is alsopossible to have the program 310 and the program header 300, as well asthe program specific information 420 and the specific information header400, as single units of information where only the header portions arecut out and transmitted before the distribution from the serverapparatus 120.

In addition, although an example is shown in the present embodimentwhere encryption with the session key is carried out on the program 310and the program specific information 420 upon distribution, it is alsopossible to have a configuration in which further descrambling iscarried out using a key that is different from the session key, withsuch key being transmitted by being included in the program header 300and the specific information header 400.

Furthermore, the item described as the hash value in the presentembodiment can use as an algorithm, existing hash algorithms such asSHA-1, MD-5, or an original algorithm. Furthermore, in place of the hashalgorithm, detection of manipulation can also be carried out usingmethods such as checksum. Furthermore, distribution of program specificinformation is not required in the case where a program which does notrequire different information for each information processing terminal100, is distributed.

Second Embodiment

FIG. 11 shows the configuration diagram of an information processingterminal 1100 and a server apparatus 1120 in the second embodiment ofthe present invention. In the same diagram, the point of difference withthe first embodiment is the point in which the server apparatus 1120holds a program/specific information correspondence chart holding unit1150.

This program/specific information correspondence chart holding unit 1150is a storage unit for holding a program/specific informationcorrespondence chart 1210 which indicates the correspondence of aprogram specific ID for uniquely identifying program specificinformation, and a program ID for uniquely specifying a program usingprogram specific information.

FIG. 12A and FIG. 12B are diagrams showing examples of informationincluded in the specific information distribution history 1200 as wellas the program/specific information correspondence chart 1210, in thepresent embodiment.

A specific information distribution history holding unit 1140 manages aspecific information distribution history 1200 which is different fromthe aforementioned specific information distribution history 600 in thefirst embodiment, in being provided with a program ID 1202 foridentifying a program corresponding to distributed program specificinformation. Moreover, as a terminal ID 1201, a program ID 1203, and alast distribution date 1204, stored in the specific informationdistribution history 1200 are the same as those in FIG. 6, detailedinformation shall be omitted.

In the example of the specific information distribution history 1200,the server apparatus 1120 has already distributed five program specificinformation ID 1203 to the information processing terminal 1100, andtheir respective terminal ID 1201, program ID 1202, and program specificinformation ID 1203 sets are, (terminal ID, program ID, program specificinformation ID)=(0001, 0001, 0001), (0002, 0001, 0002), (0010, 0001,0003), (0015, 0001, 0004), (0020, 0002, 1001).

In addition, the program/specific information correspondence chartholding unit 1150 stores, in the program/specific informationcorrespondence chart 1210, the correspondence relation of a program ID1211 of the programs managed by the server apparatus 1120, and programspecific information 1212 for identifying program specific informationused by each program.

In the example in FIG. 12A and B, the server apparatus 1120 manages aprogram with a program ID of 0001, and manages program specificinformation having IDs from 0001 to 1000 as the program specificinformation used by such program. Likewise, it manages a program havinga program ID of 0002 and the program specific information with IDs from1001 to 2000, used by such program. Furthermore, a distribution start ID1213, which is the program specific information to be distributed uponthe start of the next program specific information distribution, isstored in the program/specific information correspondence chart 1210 inorder to prevent the re-distribution of distributed program specificinformation to the information processing terminal 1100.

The example in FIG. 12B, shows the allocation of the program specificinformation with program specific ID 0123 by the server apparatus 1120in the case where new program specific information is allocated to theprogram having the program ID 0001. Likewise, the allocation of theprogram specific information with program specific ID 1423 by the serverapparatus 1120 is also shown in the case where new program specificinformation is allocated to the program having the program ID 0002.

Furthermore, in response to a program distribution request whichdesignates a program ID from the information processing terminal 1100,the server apparatus 1120 uses the program/specific informationcorrespondence chart 1210 and distributes the program specificinformation corresponding to such program ID.

The program distribution procedure in the second embodiment of thepresent invention shall be explained using FIG. 13. FIG. 13 is aflowchart showing the program distribution procedure in the serverapparatus 1120.

First, the server apparatus 1120 receives a program distribution requestfrom the information processing terminal 1100 (S1301). This programdistribution request designates a program ID.

Next, the server apparatus 1120 obtains the terminal ID of theinformation processing terminal 1100 and the program ID from the programdistribution request received (S1302). Then, the obtained terminal IDand program ID are searched for in the specific information distributionhistory 1200 (S1303), and confirmation is made as to whether or not arecord of the same terminal ID and program ID are stored in the specificinformation distribution history 1200 (S1304).

In the case where a record of the same terminal ID and program ID arestored in the specific information distribution history 1200 (Yes, inS1304), the server apparatus 1120 transmits only the program 1133 andconcludes the process (S1309) as the program specific information 1135for the designated program has already been distributed to theinformation processing terminal 1100.

In the case where a record of the same terminal ID and program ID arenot stored in the specific information distribution history 1200 (No, inS1304), the server apparatus 1120 allocates a new program specificinformation 1135 to the information processing terminal 1100, based onthe distribution start ID stored in the program/specific informationcorrespondence chart 1210 (1305).

Next, the server apparatus 1120 refers to the program/specificinformation correspondence chart 1210 stored in the program/specificinformation correspondence chart holding unit 1150, and updates thevalue of the distribution start ID 1213 (S1306), with regard to thenewly allocated program specific information 1135. Furthermore, thecorrespondence of the terminal ID and the program specific informationID, with regard to the newly allocated program specific information1135, is added to the specific information distribution history 1200(S1307). Subsequently, the server apparatus 1120 transmits the programspecific information 1135 to the information processing terminal 1100(S1308), then transmits the program 1133 (S1309), and concludes theprocess.

As mentioned above, as a result of possessing the specific informationdistribution history holding unit 1140 and the program/specificinformation correspondence chart holding unit 1150, and by carrying outthe distribution management of program specific information using thespecific information distribution history 1200 and the program/specificinformation correspondence chart 1210, the server apparatus 1120 in thepresent embodiment can prevent the distribution of a plurality ofprogram specific information 1135 to the same program running on oneinformation processing terminal 1100. Consequently, it becomes possibleto prevent the obtainment of new program specific information 1135 bythe information processing terminal 1100 attempting to avoid revocationby obtaining new program specific information 1135.

Furthermore, by managing the distribution of program specificinformation 1135 on a per program basis by storing the correspondence ofthe program to be downloaded and the information processing terminal1100 on which such program runs, in the program/specific informationcorrespondence chart 1210, the server apparatus 1120 in the presentembodiment can determine for each program, whether or not to distributeprogram specific information 1135. As such, the server apparatus 1120can refer to the program/specific information correspondence chart 1210and prevent the distribution of a program to an information processingterminal 1100, on which the program is not subject to run.

Moreover, although the data storage unit 1106 and the program storageunit 1105 are different in the present embodiment, these can also be asingle storage unit. Furthermore, the format of the specific informationdistribution history 1200 indicated in the present embodiment is oneexample. It is possible to delete the last distribution date 1204, andit is also possible to add other information. Likewise, the format ofthe program/specific information correspondence chart 1210 is also oneexample, and the distribution start ID 1213 can be managed using adifferent format. For example, the distribution status of programspecific information 1135 can be managed by having a table storing allthe program specific information IDs, and setting up a flag for eachprogram, which identifies whether or not it has already been allocated.

Furthermore, although the distribution of the program specificinformation 1135 for the terminal ID 1201 described in the specificinformation distribution history 1200 is denied in the presentembodiment, a program specific information 1135 which has already beendistributed can be distributed again to such information processingterminal 1100. Furthermore, in the present embodiment, the request fromthe information processing terminal 1100 can be a program distributionrequest which involves the distribution of a program or a programspecific information distribution request which does not involve thedistribution of a program.

Third Embodiment

FIG. 14 shows the configuration diagram of an information processingterminal 1400 and a server apparatus 1420 in the present embodiment. Inthe same diagram, the point of difference with the aforementioned firstand second embodiments is the point in which the server apparatus 1420possesses a distribution number information holding unit 1440.

This distribution number information holding unit 1440 is a hard diskholding distribution number information 1500 for managing the number oftimes program specific information 1435 is distributed from the server1420 to the same information processing terminal 1400.

FIG. 15 is a chart showing an example of the information storage of thedistribution number information 1500 in the present embodiment.

A terminal ID 1501 for identifying an information processing terminal1400 to which program specific information 1435 has been distributed,and a counter 1502 for indicating the number of times of thedistribution, are stored in the distribution number information 1500. Inthe example in the same chart, it is indicated that program specificinformation 1435 have been distributed once to the informationprocessing terminals 1400 with the terminal IDs 0001 and 0002, and thatprogram specific information 1435 has not been distributed to theinformation processing terminal 1400 with the terminal ID 0003.

FIG. 16 is a flowchart showing the program distribution procedure in theserver apparatus 1420.

First, the server apparatus 1420 receives a program distribution requestfrom the information processing terminal 1400 (S1601). Next, the serverapparatus 1420 obtains the terminal ID of the information processingterminal 1400, included in the program distribution request received inS1601 (S1602).

Subsequently, the server apparatus 1402 searches for the terminal IDobtained in S1602 using the distribution number information 1500 storedin the distribution number information holding unit 1440, and obtainsthe value of the counter (S1603). Furthermore, it determines whether ornot the obtained counter value is greater than or equal to a prescribedvalue (S1604).

Subsequently, in the case where the obtained counter value is greaterthan or equal to the prescribed value (Yes, in S1604), the serverapparatus 1420 transmits only a program 1433 (S1608) and concludes theprocess, as program specific information 1435 has already beendistributed to the information processing terminal 1400, a number oftimes equaling or exceeding the prescribed number of times.

On the other hand, in the case where the obtained counter value is lessthan the prescribed value (No, in S1604), the server apparatus 1420allocates program specific information 1435 anew to the informationprocessing terminal 1400 (S1605). Furthermore, the server apparatus 1420increases the value of the counter of the distribution numberinformation 1500 stored within the distribution number informationholding unit 1440 (S1606). Subsequently, the server apparatus 1420transmits the program specific information 1435 to the informationprocessing terminal 1400 (S1607), then transmits the program 1433(S1608), and concludes the process.

In this manner, as a result of possessing the distribution numberinformation holding unit 1440 and by carrying out the distributionmanagement of program specific information 1435 using distributionnumber information 1500, the server apparatus 1420 in the presentembodiment can prevent the distribution of program specific information1435 to a single information processing terminal 1400, a number of timesequaling or exceeding the prescribed value. In particular, in the casewhere the prescribed value is set at 1, the server apparatus 1420 canprevent the allocation of new program specific information 1435 for theavoidance of revocation by an information processing terminal 1400 thathas been recognized and revoked as an unauthorized terminal through theuse of information included in program specific information 1435, as inthe first and the second embodiments in the present invention.

Furthermore, by assuming that the prescribed value indicating the numberof distributions for program specific information 1435 is 2 or more,re-distribution or new distribution of program specific information 1435can be duly carried out for a user purchasing a program again, not forunauthorized purposes, but for reasons such as a hard disk breakdown.

Moreover, although a data storage unit 1406 and a program storage unit1405 are different in the present embodiment, these can also be a singlestorage unit. Furthermore, the format of the distribution numberinformation 1500 indicated in the present embodiment is one example, andit is also possible to add other information. Furthermore, in thepresent embodiment, the request from the information processing terminal1400 can be a program distribution request which involves thedistribution of a program or a program specific information distributionrequest which does not involve the distribution of a program.

Fourth Embodiment

FIG. 17 shows the configuration diagram of an information processingterminal 1700 and a server apparatus 1720, in the present embodiment. Inthe same diagram, the point of difference with the third embodiment isthe point in which the server apparatus 1720 holds a program/specificinformation correspondence chart holding unit 1750. Thisprogram/specific information correspondence chart holding unit 1750 isthe same storage unit as the program/specific information correspondencechart holding unit 1150 explained in FIG. 11.

FIG. 18A and FIG. 18B are diagrams showing an example of data stored indistribution number information 1800 and a program/specific informationcorrespondence chart 1810, in the present embodiment.

The distribution number information 1800 stores a counter 1803indicating a program ID 1801 of a distributed program, a terminal ID1802 of the information processing terminal 1700 to which programspecific information 1735 has been distributed, and the number of timesprogram specific information is distributed. The point of differencewith the distribution number information 1500 in the aforementionedthird embodiment is the point in which a program ID 1801 for identifyingthe program using the program specific information is added.

The distribution number information 1800 indicates that program specificinformation 1735 used by a program with program ID 0001 is distributedonce to the information processing terminals 1700 with the terminal IDs0001, and 0002, and that program specific information 1735 has not beendistributed to the information processing terminals 1700 with theterminal ID 0003. Furthermore, it likewise indicates that programspecific information 1735 used by a program with program ID 0002 isdistributed once to the information processing terminal 1700 with theterminal ID 0001, and that such program specific information 1735 hasnot been distributed to the information processing terminals 1700 withthe terminal IDs 0002, and 0003.

Moreover, the program/specific information correspondence chart 1810 isthe same as the program/specific information correspondence chart 1210in FIG. 12 mentioned earlier so detailed explanation shall be omitted.

FIG. 19 is a flowchart showing the program distribution procedure in theserver apparatus 1720.

First, the server apparatus 1720 receives a program distribution requestfrom the information processing terminal 1700 (S1901). The programdistribution request includes the program ID of the program for whichobtainment is being requested by the information processing terminal1700. Next, the server apparatus 1720 obtains the terminal ID of theinformation processing terminal 1700 and the program ID included in theprogram distribution request obtained in S1901 (S1902).

Subsequently, the server apparatus 1720 searches the distribution numberinformation 1800 for the terminal ID and program ID obtained in S1902,and obtains the value of the counter (S1903). Next, it determineswhether or not the obtained counter value is greater than or equal to aprescribed value (S1904).

Furthermore, in the case where the obtained counter value is greaterthan or equal to the prescribed value (Yes, in S1904), the serverapparatus 1720 transmits only a program 1733 (S1909) and concludes theprocess, as program specific information 1735 has already beendistributed to the information processing terminal 1400 a number oftimes equaling or exceeding the prescribed number of times.

Next, in the case where the obtained counter value is less than theprescribed value (No, in S1904), the server apparatus 1420 allocates newprogram specific information 1735 to the information processing terminal1700, based on information of the distribution start ID stored in theprogram/specific information correspondence chart 1801 (S1905).

Subsequently, the server apparatus 1720 updates the value of thedistribution start ID stored in the program/specific informationcorrespondence chart 1810, with regard to the program specificinformation 1735 newly allocated in S1905 (S1906). Furthermore, itincreases the value of the counter stored within the distribution numberinformation 1800 (S1907), and transmits the program specific information1735 to the information processing terminal 1700 (S1908). It thentransmits the program 1733 (S1909), and concludes the process.

As mentioned above, as a result of possessing the distribution numberinformation holding unit 1740 and the program/specific informationcorrespondence chart holding unit 1750, and by managing the distributionof program specific information 1735 using the distribution numberinformation 1800 and the program/specific information correspondencechart 1810 held in the respective storage units, the server apparatus1720 in the present embodiment can prevent the distribution of programspecific information 1735 to the same program running on a singleinformation processing terminal 1700, a number of times equaling orexceeding a prescribed value, and an information processing terminal1700 attempting the unauthorized use of program specific information1735 can be revoked.

Furthermore, in the present embodiment, the server apparatus 1720 candetermine whether or not program specific information 1735 can bedistributed for each program, by managing the distribution of programspecific information on a per program basis.

Moreover, although a data storage unit 1706 and a program storage unit1705 are different in the present embodiment, these can also be a singlestorage unit. Furthermore, the format of the specific distributionnumber information 1800 indicated in the present embodiment is oneexample, and it is also possible to add other information. Likewise, theformat of the program/specific information correspondence chart 1810 isone example, and management can be done using a different format.Furthermore, in the present embodiment, the request from the informationprocessing terminal 1700 can be a program distribution request whichinvolves the distribution of a program or a program specific informationdistribution request which does not involve the distribution of aprogram.

As mentioned above, by possessing the specific information distributionhistory holding unit, the server apparatus in the present embodiment canprevent an information processing terminal from obtaining new programspecific information corresponding to a previously distributed program,and unauthorized acts of an information processing terminal attemptingto avoid revocation by obtaining new program specific information can bereliably prevented.

Furthermore, through the encryption of programs obtained from the serverapparatus by the information processing terminal in the presentinvention, using a terminal specific key, the burden of programencryption on the server apparatus can be reduced. In addition, as theentirety of a program is separated into a program and program specificinformation which are created individually by the server apparatus inthe present invention, the size of distribution information managed inthe server apparatus can be reduced and the burden of informationprocessing can be lightened through the management of a plurality ofprogram specific information and the management of only one program, bythe server apparatus. The program specific information has comparativelysmall size but is different for each information processing terminal,whereas the single program has a large size but is common for all theinformation processing terminals.

In addition, as a body of the program running on the informationprocessing terminal, a program header, program specific information, anda specific information header are included in the entirety of a programdistributed from the server apparatus in the present invention to aninformation processing terminal, the validity of information distributedfrom the server apparatus to the information processing terminal can beconfirmed through the use of CA signatures and hash values on therespective information making up the program.

INDUSTRIAL APPLICABILITY

The server apparatus, as well as the program management system, in thepresent invention is useful as a server apparatus for distributing aprogram, via the network, to a personal computer equipped with acommunication function and an information processing terminal such as amobile phone, and is also useful as a program management system betweensuch server apparatus and information processing terminal.

1-17. (canceled)
 18. A server apparatus, connected to an informationprocessing terminal via a network, which decides whether or not todistribute a program in response to a program obtainment requestattached with a terminal ID transmitted from the information processingterminal, by referring to a table indicating a relation between apreviously distributed program and a terminal ID, the informationprocessing terminal holding the terminal ID that cannot be re-writtenexternally, wherein the program includes a program body running on theinformation processing terminal and program specific information forrunning said program body, and the server apparatus comprises a decisionunit operable to decide i) to distribute only the program body to theinformation processing terminal by prohibiting distribution of theprogram specific information in the case where the terminal ID attachedto the program obtainment request is recorded in the table, and ii) toadd the terminal ID and the program specific information, to the table,in a correspondence relation with each other, and distribute the programbody and the program specific information to the information processingterminal in the case where said terminal ID is not recorded in thetable.
 19. The server apparatus according to claim 18, wherein, inresponse to the program obtainment request from the informationprocessing terminal, the decision unit decides to distribute the programbody for each program obtainment request, and distribute the programspecific information only once.
 20. The server apparatus according toclaim 18, wherein a table holding unit holds a table indicating theterminal ID and a number of distributions of the program specificinformation, and the decision unit, by referring to the table, decidesi) to distribute only the program body to the information processingterminal by prohibiting distribution of the program specific informationin the case where the number of distributions corresponding to theterminal ID reaches a prescribed value, and ii) to update the number ofdistributions corresponding to the terminal ID, described in the table,and distribute the program body and the program specific information tothe information processing terminal, in the case where the number ofdistributions corresponding to the terminal ID does not reach theprescribed value, said terminal ID being attached to the programobtainment request transmitted from the information processing terminal.21. The server apparatus according to claim 20, wherein the tableholding unit holds a table indicating the relation among the terminal IDattached to the program obtainment request from the informationprocessing terminal, a program body ID for uniquely identifying theprogram body distributed to the information processing terminal havingsaid terminal ID, and the number of distributions indicating the numberof times the program specific information has been distributed to theinformation processing terminal having the terminal ID, and the decisionunit, referring to the table, decides i) to distribute only the programbody to the information processing terminal by prohibiting distributionof the program specific information in the case where the number ofdistributions, corresponding to both the program ID and the terminal IDattached to the program obtainment request transmitted from theinformation processing terminal, reaches the prescribed value, and ii)to update the number of distributions corresponding to the terminal IDand the program ID, described in the table, and distribute the programbody and the program specific information to the information processingterminal, in the case where the number of distributions, correspondingto the program ID as well as the terminal ID attached to the programobtainment request transmitted from the information processing terminal,does not reach the prescribed value.
 22. The server apparatus accordingto claim 21, wherein the prescribed value is a value indicating thenumber of distributions for the program specific information to bedistributed from the server apparatus to the information processingterminal.
 23. The server apparatus according to claim 20, wherein theprescribed value is a value indicating the number of distributions forthe program specific information to be distributed from the serverapparatus to the information processing terminal.
 24. The serverapparatus according to claim 18, wherein a table holding unit holds atable indicating the relation among the terminal ID attached to theprogram obtainment request from the information processing terminal, aprogram body ID for uniquely identifying the program body distributed tothe information processing terminal having the terminal ID, and aprogram specific information ID for uniquely identifying the programspecific information distributed to the information processing terminalhaving the terminal ID, and the decision unit, referring to the table,decides i) to distribute only the program body to the informationprocessing terminal by prohibiting distribution of the program specificinformation in the case where the program specific information ID,corresponding to both the program ID and the terminal ID attached to theprogram obtainment request transmitted from the information processingterminal, is described in the table, and ii) to add the terminal ID, theprogram specific information ID, and the program ID, to the table, in acorrespondence relation with each other, and distribute the program bodyand the program specific information to the information processingterminal, in the case where the program specific information ID,corresponding to both the program ID and the terminal ID attached to theprogram obtainment request, is not described in the table.
 25. Theserver apparatus according to claim 18, holds a plurality of the programspecific information which is information that is different for each ofthe information processing terminals, and one program body which iscommon for the information processing terminals.
 26. The serverapparatus according to claim 18, wherein the table holding unit holds atable indicating the relation between a program body ID for uniquelyidentifying the program body and the terminal ID of the informationprocessing terminal on which the program body runs, and the decisionunit, referring to the table, decides i) that the program body can bedistributed in the case where the program ID and the terminal IDattached to the program obtainment request transmitted from theinformation processing terminal are in a correspondence relation in thetable, and ii) that the program body cannot be distributed in the casewhere the program ID and the terminal ID attached to the programobtainment request transmitted from the information processing terminalare not in a correspondence relation in the table.
 27. A programmanagement system comprising an information processing terminal and aserver apparatus which are connected with each other via a network, theinformation processing terminal holding a terminal ID that cannot bere-written externally, the server apparatus deciding whether or not todistribute a program in response to a program obtainment requestattached with the terminal ID transmitted from the informationprocessing terminal, by referring to a table indicating a relationbetween a previously distributed program and a terminal ID, wherein theinformation processing terminal includes a storage unit operable to i)store a specific key which is different for each information processingterminal, in a memory that cannot be re-written externally, and ii)encrypt, using the specific key, the program obtained from the serverapparatus and store the encrypted program in the memory within theinformation processing terminal.
 28. The program management systemaccording to claim 27, wherein the program includes a program bodyrunning on the information processing terminal, a program header storinginformation regarding the program body, program specific information forrunning the program body, and a specific information header storinginformation regarding the program specific information, the informationprocessing terminal sends, to the server apparatus, a header obtainmentrequest for obtaining the program header and the specific informationheader included in the program for which obtainment is requested, theserver apparatus distributes the program header and the specificinformation header to the information processing terminal in the casewhere it is decided by the decision unit that the program body can bedistributed, and the information processing terminal i) includes averification unit operable to perform a verification based on theprogram header and the specific information header, and ii) transmitsthe program obtainment request to the server apparatus after theverification is performed by the verification unit.
 29. The programmanagement system according to claim 28, wherein the program headercontains an identifier capable of uniquely identifying the program, andthe information processing terminal includes another verification unitoperable to decrypt, using the specific key, the program encrypted withthe specific key, and verify, using the identifier, whether encryptionwith the specific key is performed correctly, said program being storedin the memory within the information processing terminal.
 30. Theprogram management system according to claim 28, wherein the program,the program header, the program specific information, and the specificinformation header, are attached with a digital signature.
 31. Theprogram management system according to claim 28, wherein the programheader contains an identifier capable of uniquely identifying theprogram, and the specific information header contains an identifiercapable of uniquely identifying the program specific information.
 32. Aprogram distribution method used by a server apparatus, connected to aninformation processing terminal via a network, which decides whether ornot to distribute a program in response to a program obtainment requestattached with a terminal ID transmitted from the information processingterminal, by referring to a table indicating a relation between apreviously distributed program and a terminal ID, the informationprocessing terminal holding the terminal ID that cannot be re-writtenexternally, wherein the program includes a program body running on theinformation processing terminal and program specific information forrunning said program body, and the method comprises a step of decidingi) to distribute only the program body to the information processingterminal by prohibiting distribution of the program specific informationin the case where the terminal ID attached to the program obtainmentrequest is recorded in the table, and ii) to add the terminal ID and theprogram specific information, to the table, in a correspondence relationwith each other, and distribute the program body and the programspecific information to the information processing terminal in the casewhere said terminal ID is not recorded in the table.
 33. A serverprogram used in a server apparatus, connected to an informationprocessing terminal via a network, which decides whether or not todistribute a program in response to a program obtainment requestattached with a terminal ID transmitted from the information processingterminal, by referring to a table indicating a relation between apreviously distributed program and the terminal ID, the informationprocessing terminal holding a terminal ID that cannot be re-writtenexternally, wherein the program includes a program body running on theinformation processing terminal and program specific information forrunning said program body, and the server program includes a step ofdeciding i) to distribute only the program body to the informationprocessing terminal by prohibiting distribution of the program specificinformation in the case where the terminal ID attached to the programobtainment request is recorded in the table, and ii) to add the terminalID and the program specific information, to the table, in acorrespondence relation with each other, and distribute the program bodyand the program specific information to the information processingterminal in the case where said terminal ID is not recorded in thetable.